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I. REAL PARTY IN INTEREST 

Sun Microsystems, Inc. is the real party in interest. 

II. RELATED APPEALS AND INTERFERENCES 

Appellant is unaware of any related appeals or interferences. 
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III. STATUS OF CLAIMS 

Claims 2, 23, and 44 are canceled. Claims 1, 3-22, 24-43, and 45-66 are pending in this 
application, have been finally rejected, and are the subject of this appeal. 

IV. STATUS OF AMENDMENTS 

No amendments were filed after the Final OflSce Action mailed on April 7, 2004. 

V. SUMMARY OF CLAIMED SUBJECT MATTER 

With regard to Claim 1, there is recited a method performed by a fi-amework in a system 

comprising the firamework and at least one application, that method comprising: 

receiving a request from the application for a customized implementation 
of a service; 

determining a set of zero or more restrictions to be imposed upon said 
customized implementation; 

dynamically constructing said customized implementation, said 
customized implementation incorporating said restrictions, and comprising 
enforcement logic for enforcing said restrictions; and 

providing said customized implementation to the application; 

wherein said customized implementation is invocable by the 
application without further interaction with the framework. 

With reference to Fig. 1 , there is shown a block diagram of a system 100 in which the 
method of Claim 1 may be implemented. The system 100 comprises one or more applications 
104, one or more general implementations 106, and a framework 102 for facilitating interaction 
between the various components. The applications 104 request and receive implementations of 
services from the framework 102. The term ^'service" is defined broadly to encompass any 
ftinctionality requested by and provided to an application, including but not limited to 
encryption/decryption fimctionality (Application, page 5, lines 5-14). 

When an application 104 requests an implementation from the framework 102, the 
application 104 specifies the type of service for which it wishes an implementation. For 
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example, the application 104 may request an implementation for the "Blowfish" encryption 
algorithm. In response, the framework 102 provides, to the application 104, an implementation 
of the requested service, which is customized for the appHcation 104 making the request. The 
customized implementation provided by the framework 102 may contain restrictions on the 
services that it can provide (AppUcation, page 5, lines 15-21), 

The general implementations 106 represent the implementations for services that can be 
"plugged in" to or interfaced with the framework 102. Each general implementation 106 
implements a particular type of service. For example, one general implementation may 
implement the "Blowfish" encryption algorithm, while another may implement the DES 
encryption algorithm. Each general implementation 106 is unrestricted. That is, the general 
implementations 106 themselves are not hampered by restrictions. In the case where the general 
implementations 106 are implementations of encryption algorithms, this means that the 
encryption algorithms may be set to full strength (Application, page 6, lines 1-10). 

In system 100, the framework 102 is the component responsible for coordinating the 
overall operation of the system 100. A flowchart illustrating the general operation of the 
framework 102 is shown in Fig, 2. As shown in Fig. 2, the framework 102 operates by receiving 
(202) a request from an application 104 for an implementation of a particular type of service (e.g. 
an implementation for the "Blowfish" encryption algorithm). In response, the framework 102 
determines (204) what restrictions, if any, need to be imposed on the requested implementation 
(Application, page 6, lines 13-19), 

Once the restrictions are determined, the framework 102 dynamically constructs (206) the 
requested implementation. In one embodiment, the requested implementation is constructed by 
finding an associated general implementation 106 which implements the type of service 
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requested (e.g. a general implementation 106 which implements the "Blowfish" encryption 
algorithm). Once found, the associated general implementation 106 is incorporated into the 
requested implementation, along with the restrictions determined previously, hi addition, a set of 
enforcement logic is also incorporated into the requested implementation. This enforcement 
logic ensures that the restrictions are enforced on the associated general implementation 106. 
Thus, even though the associated general implementation 106 itself may not have any 
restrictions, the enforcement logic causes the proper restrictions to be enforced on the associated 
general implementation 106. With the associated general implementation, the restrictions, and 
the enforcement logic incorporated therein, the construction of the requested implementation is 
complete. Since the requested implementation is constructed specifically for the requesting 
application 104, and hence, may incorporate restrictions specific to the requesting appHcation, 
the requested implementation may be viewed as a customized implementation, which is 
customized for the requesting application 104 (AppHcation, page 7, lines 1-18), 

Once the customized implementation is constructed, it is provided (208 ) to the requesting 
application 104, Thereafter, the application 104 may directly request services from the 
customized implementation. Since the customized implementation incorporates the restrictions 
and enforcement logic for enforcing the restrictions, it is not necessary for the application 104 to 
further interact with the framework 102. The customized implementation itself will provide the 
services, and will guarantee that the restrictions are enforced on the services. By dynamically 
constructing customized implementations in this manner, the framework 102 ensures that the 
necessary restrictions are enforced on the services provided to the application 104 (Application, 
page 7, line 19, to page 8, line 2). 
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Claim 22 recites a system comprising at least one application and a framework 
comprising mechanisms that perform the steps of the method recited in Claim 1 . Each 
mechanism is recited in means-plus-function form. An example of a mechanism for receiving a 
request from the application for a customized implementation of a service is shown in Fig. 3 as a 
Getlnstance method of a Cipher object class 306 (Application, page 8, lines 17-19). An example 
of a mechanism for determining a set of zero or more restrictions to be imposed upon said 
customized implementation is shown in Fig. 3 as a GetCryptoPermission method of a 
JCESecurityManager class 316 (Application, page 12, lines 14-18). An example of a mechanism 
for dynamically constructing said customized implementation, said customized implementation 
incorporating said restrictions, and comprising enforcement logic for enforcing said restrictions, 
is shown in Fig. 3 as a constructor method of the Cipher object class 306 (Application, page 14, 
lines 12-16). An example of a mechanism for providing said customized implementation to the 
application is shown in Fig. 3 as the Getlnstance method of the Cipher object class 306 
(Application, page 15, lines 1-3). The application can invoke the methods of the customized 
implementation directly, without fiirther interaction with the framework (Application, page 15, 
lines 3-4). 

Claim 43 recites a computer-readable medium having stored thereon instructions which, 
when executed by one or more processors, cause the one or more processors to perform the steps 
of the method recited in Claim 1 . 

VL GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Claims 1, 3-16, 22, 24-37, 43, and 45-58 stand rejected under 35 U.S.C. § 102(e) as being 
anticipated by U.S. Patent No..6,389,534 to Elgamal et al. ("Elgamal"). 
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Claims 17-21, 38-42, and 59-63 stand rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Elgamal in view of U.S. Patent No. 5,933,503 to Schell et al. ("Schell"). 

Claims 64-66 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over 
Elgamal in view of U.S. Patent No, 6,005,942 to Chan et al. ("Chan"). 

VIL ARGUMENTS 

A. The Limitations of Claims 1, 3-16. 22, 24-37. 43, and 45-58 Are Not in Anv Way 
Taught or Suggested by Elgamal 

Among other limitations, Claim 1 recites, "wherein said customized implementation is 
invocable by the application without further interaction with the framework." As will be 
shown below, Elgamal does not teach or suggest a customized implementation that is invocable 
by an application without further interaction with a framework. 

The method of Claim 1 is quite advantageous because it allows an application to obtain 
access to services without repeatedly requesting those services from some centralized 
framework. Specifically, when an application needs to access a particular service, it makes a 
request to a centralized fi-amework for a customized implementation of that service. In response, 
the centralized framework dynamically constructs the customized implementation. The 
customized implementation includes enforcement logic for enforcing certain restrictions on the 
service. The centralized framework then provides the customized implementation to the 
requesting application. Notice that it is an invocable implementation of the service that is 
returned to the application, not a result of an operation. Because this is the case, the application 
can, in the future, obtain the service by invoking the customized implementation directly. The 
application does not need to interact with the framework again to obtain the service. By 
removing the framework from the service request/provision process, the method of Claim 1 
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removes the centralized framework as a potential performance bottleneck. This and other 
benefits can be derived from the method of Claim 1 . 

In order to determine whether Elgamal teaches or suggests a customized implementation 
that is invocable by an application without further interaction with the framework, it must be 
determined what component of Elgamal, if any, corresponds to the framework recited in Claim 
1. Claim 1 makes it clear that the framework performs the step of receiving, from the 
application, a request for the customized implementation; thus, no component of Elgamal can 
qualify as such a framework unless that component receives such a request from an application. 

The Examiner has not made it clear what component of Elgamal is supposed to 
correspond to the framework of Claim 1. However, in col. 5, lines 29-37, Elgamal discloses that 
applications 101-103 call service modules 104-107 to perform operations that perform 
cryptographic ftinctions. Setting aside, for now, the question of whether such a call constitutes a 
"request for a customized implementation of a service," service modules 104-107 appear to be 
the only components of Elgamal that receive requests of any kind from applications 101-103. 
Therefore, in the absence of any contrary explanation from the Examiner, appellants can only 
assume that service modules 104-107 are supposed to correspond to part of the framework of 
Claim 1. 

Having assumed this, it next must be determined whether Elgamal discloses any 
"customized implementation" that is invocable by at least one of applications 101-103 without 
further interaction (i.e., interaction that occurs after the retuming of the customized 
implementation to the application) with service modules 104-107. Although the Examiner has 
not expressly stated what component of Elgamal is supposed to correspond to the customized 
implementation recited in Claim 1, the Examiner appears to allege that a combination of policy 
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filters 108-1 1 1 and crypto plugin modules 114-116 correspond to the customized 
implementation. When one of applications 101-103 is executed, crypto plugin modules 114-116 
are loaded, and pohcy configuration module configures pohcy filters 108-1 1 1 (col. 5, lines 17- 
23). Apparently, the Examiner equates this configuration of policy filters 108-1 1 1 to the 
"dynamic construction" of a customized implementation required by Claim 1 . When one of 
applications 101-103 calls one of service modules 104-107 to request an operation, that service 
module calls its corresponding policy filter to determine whether the called operation is allowed. 
If the corresponding policy filter does not approve the called operation, then the service module 
returns an error to the application. On the other hand, if the correspond policy filter approves the 
called operation, then the service module performs the requested operation, calling one of crypto 
plugin modules 1 14-1 16 as needed (col. 6, lines 32-43). 

Notice that the apphcations 101-103 have to call the service modules 104-107 in order to 
get access to service. This is so even after the pohcy filters 108-1 1 1 have been configured and 
made available to the applications 101-103 . Since the service modules 104-107 are part of the 
fi*amework (as argued above), this means that the apphcations 101-103 always have to go 
through the fi-amework to get access to a service. It is precisely this type of interaction that the 
method of claim 1 beneficially avoids. Unlike the method of claim 1, Elgamal does not provide 
a customized implementation to the applications 101-103 that can be invoked without fiirther 
interaction with the firamework. 

Appellants previously submitted the above arguments to the Examiner in a response to 
the Final Office Action. In an Advisory Action mailed October 21, 2004, the Examiner 
responded that (a) the "cipher suites" (apparently referring to crypto plugin modules 114-116) 
are loaded once, (b) after this one-time loading operation, applications 101-103 interacted with 
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"other modules" (apparently referring to service modules 104-107) that approved or disapproved 
of "further processes" (apparently referring to application-requested operations) and (c) these 
interactions are not equivalent to the prior one-time loading process. 

Although it is difficult to tell, the Examiner seems to be saying that the interaction of 
applications 101-103 v^ith service modules 104-107 does not qualify as "further interaction v^ith 
the fi-amew^ork" because the framev^ork is something other than service modules 104-107. Once 
again, though, no component of Elgamal can qualify as the "framework" of Claim 1 unless, 
among other things, that component receives, from an application, a request for a customized 
implementation of a service. Elgamal does not identify the component that loads crypto plugin 
modules 114-116; Elgamal only appears to disclose that crypto plugin modules 114-116 "are 
loaded." Elgamal discloses that policy fiher initialization module 112 configures policy filters 
108-1 1 1 . Hov^ever, Elgamal does not appear to disclose that poHcy filter initialization module 
1 12 ever receives a request fi-om any of applications 101-103. Indeed, Elgamal does not appear 
to disclose that either the loading of crypto plugin modules 1 14-1 16 or the configuration of 
policy filters 108-1 1 1 in any w^ay involves a request from one or more of applications 101-103; 
both the loading of crypto plugin modules 114-116 and the configuration of policy filters 108- 
1 1 1 is done in response to the execution of one of applications 101-103 rather than the receipt of 
a request from such an application (col 5, lines 17-23). 

As is stated above, service modules 104-107 appear to be the only components in 
Elgamal that ever receive a request from an application; it is only through service modules 104- 
107 that applications 101-103 request operations from crypto plugin modules 114-116. Thus, if 
service modules 104-107 do not correspond to the framework required by Claim 1, then Elgamal 
fails to teach or suggest a framework as required by Claim 1. Conversely, if service modules 
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104-107 correspond to the framework required by Claim 1, then appHcations 101-103 
necessarily interact with the framework after the alleged dynamic construction of the alleged 
customized implementation and after the alleged provision of the alleged customized 
implementation to appUcations 101-103. However, the method of Claim 1 recites that the 
customized implementation is invocable by the application without such "further interaction." 
In either case, Elgamal fails to teach or suggest the method of Claim L 

Based on the foregoing, it is therefore respectfiiUy submitted that Elgamal does not in any 
way teach or suggest at least one of the limitations for which Elgamal was relied upon in the 
Final Office Action, namely, the limitation in Claim 1 of "wherein said customized 
implementation is invocable by the application without further interaction with the 
framework." Claim 1 is therefore patentable over Elgamal. 

Claims 3-16 depend from Claim 1 and include all of the limitations of Claim 1. It is 
therefore respectfiilly submitted that Claims 3-16 are patentable over Elgamal for at least the 
reasons set forth herein with respect to Claim 1 . 

Claims 22 and 24-37 contain limitations similar to Claims 1 and 3-16, respectively, 
except in the context of a framework. It is therefore respectfiilly submitted that Claims 22 and 
24-37 are patentable over Elgamal for at least the reasons set forth herein with respect to Claims 
1 and 3-16. 

Claims 43 and 45-58 contain hmitations similar to Claims 1 and 3-16, respectively, 
except in the context of a computer-readable medium. It is therefore respectfiilly submitted that 
Claims 43 and 45-58 are patentable over Elgamal for at least the reasons set forth herein with 
respect to Claims 1 and 3-16. 
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B. The Limitations of Claims 17-2L 38-42, and 59-63 Are Not in Anv Way Taught or 
Suggested by Elgamal and Schell 

By virtue of their dependence upon Claim 1, Claims 17-21 also contain the limitations of 
Claim 1, including the limitation of "wherein said customized implementation is invocable by 
the application without further interaction with the framework." 

As is discussed above, Elgamal fails to teach or suggest at least this limitation. Thus, 
Claims 17-21 are patentable over Elgamal, taken individually. 

Schell also fails to teach or suggest this Hmitation. Indeed, the Office Action relies only 
upon Elgamal to disclose this limitation. The Final Office Action does not even allege that 
Schell teaches or suggests this limitation. Thus, Claims 17-21 are patentable over Schell, taken 
individually. 

Even assuming, arguendo, that it would have been obvious to combine Elgamal and 
Schell, the combination of Elgamal and Schell still fails to teach or suggest the limitation 
"wherein said customized implementation is invocable by the application without further 
interaction with the framework" as contained in Claims 17-21. It is therefore respectfully 
submitted that Claims 17-21 are patentable over Elgamal and Schell. 

Claims 38-42 contain limitations similar to Claims 17-21, respectively, except in the 
context of a framework. It is therefore respectfully submitted that Claims 38-42 are patentable 
over Elgamal and Schell for at least the reasons set forth herein with respect to Claims 17-21. 
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Claims 59-63 contain limitations similar to Claims 17-21, respectively, except in the 
context of a computer-readable medium. It is therefore respectfully submitted that Claims 59-63 
are patentable over Elgamal and Schell for at least the reasons set forth herein with respect to 
Claims 17-21. 

C. The Limitations of Claims 64-66 Are Not in Any Way Taught or Suggested by 
Elgamal and Chan 

By virtue of its dependence upon Claim 1, Claim 64 also contains the limitations of 
Claim 1, including the limitation of "wherein said customized implementation is invocable by 
the application without further interaction with the framework." 

As is discussed above, Elgamal fails to teach or suggest at least this limitation. Thus, 
Claim 64 is patentable over Elgamal, taken individually. 

Chan also fails to teach or suggest this limitation. Indeed, the Office Action relies only 
upon Elgamal to disclose this limitation. The Final Office Action does not even allege that Chan 
teaches or suggests this limitation. Thus, Claim 64 is patentable over Chan, taken individually. 

Even assuming, arguendo, that it would have been obvious to combine Elgamal and 
Chan, the combination of Elgamal and Chan still fails to teach or suggest the limitation 'Vherein 
said customized implementation is invocable by the appUcation without further interaction with 
the framework" as contained in Claim 64. It is therefore respectfully submitted that Claim 64 is 
patentable over Elgamal and Chan. 

Additionally, the portion of Chan cited in the Final Office Action (col. 8, lines 30-44) 
refers to the "JAVA Card standard," rather than the "Java Cryptography Extension to Java 
Platform" recited in Claim 64. The "JAVA Card standard" is not the same as the "Java 
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Cryptography Extension to Java Platform" recited in Claims 64. Thus, Claim 64 is patentable 
over Chan, taken individually. 

The Final Office Action admits that Elgamal does not teach or suggest a framework that 
comprises the Java Cryptography Extension to Java Platform as required by Claim 64. Thus, 
Claim 64 is patentable over Elgamal, taken individually. 

Even assuming, arguendo, that it would have been obvious to combine Elgamal and 
Chan, the combination of Elgamal and Chan still fails to teach, or suggest a framework that 
comprises the Java Cryptography Extension to Java Platform as required by Claim 64. It is 
therefore respectfully submitted that Claim 64 is patentable over Elgamal and Chan. 

Claim 65 and 66 contain limitations similar to Claim 64, except in the contexts of a 
system and a computer-readable medium, respectively. It is therefore respectfully submitted that 
Claims 65 and 66 are patentable over Elgamal and Chan for at least the reasons set forth herein 
with respect to Claims 64. 
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Vm. CONCLUSION AND PRAYER FOR RELIEF 

Based on the foregoing, it is respectfully submitted the rejections of Claims 1, 3-16, 22, 
24-37, 43, and 45-58 lack the requisite factual and legal bases. Appellants therefore respectfully 
request that the Honorable Board reverse the rejections of Claims 1, 3-16, 22, 24-37, 43, and 45- 
58. 

Respectfully submitted, 

HICKMAN PALERMO TRUONG & BECKER LLP 



Date: December 6, 2004 



1600 Willow Street 

San Jose, CaHfomia 95125-5106 

Tel: (408) 414-1224 

Fax: (408)414-1076 




Christian A. Nicholes 
Registration No. 50,266 
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CLAIMS APPENDIX 



1 1 . In a system comprising at least one application and a framework, a method 

2 performed by the framework comprising: 

3 receiving a request from the application for a customized implementation of a 

4 service; 

5 determining a set of zero or more restrictions to be imposed upon said customized 

6 implementation; 

7 dynamically constructing said customized implementation, said customized 

8 implementation incorporating said restrictions, and comprising enforcement logic for 

9 enforcing said restrictions; and 

10 providing said customized implementation to the appKcation; 

1 1 wherein said customized implementation is invocable by the application without 

12 further interaction with the framework. 

1 3. The method of claim 1, wherein the system fiirther comprises a general 

2 implementation for said service, wherein said general implementation is unrestricted, and 

3 wherein said customized implementation further incorporates said general 

4 implementation. 

1 4. The method of claim 3, wherein said enforcement logic enforces said 

2 restrictions on said general implementation. 

1 5. The method of claim 1, wherein said enforcement logic is invoked upon 

2 initialization of said customized implementation. 



1 
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1 6. The method of claim 5, wherein said enforcement logic, when invoked: 

2 receives a set of desired parameters from the application; 

3 determines whether the desired parameters exceed said restrictions; and 

4 in response to a determination that the desired parameters exceed said restrictions, 

5 preventing said customized implementation from operating. 

1 7. The method of claim 5, wherein said service is an encryption/decryption 

2 service, and wherein said enforcement logic, when invoked: 

3 determines whether a particular exemption mechanism has been invoked; and 

4 in response to a determination that the particular exemption mechanism has not 

5 been invoked, preventing said customized implementation from operating. 

1 8. The method of claim 1, wherein determining the set of zero or more 

2 restrictions comprises: 

3 accessing information specifying one or more limitations; and 

4 processing said limitations to derive said restrictions. 

1 9. The method of claim 8, wherein said service is an encryption/decryption 

2 service, and wherein said information comprises a set of one or more default encryption 

3 limitations. 

1 10. The method of claim 9, wherein said default encryption limitations are 

2 derived by merging multiple jurisdiction policies and extracting therefrom the most 

3 restrictive encryption limitations. 
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1 11. The method of claim 1 , wherein detemiining the set of zero or more 

2 restrictions comprises: 

3 accessing information specifying one or more limitations; 

4 determining permissions, if any, granted to the application; and 

5 reconciling said limitations and said permissions to derive said restrictions. 

1 12. The method of claim 11, wherein said limitations and said permissions are 

2 reconciled to derive restrictions which are least restrictive. 

1 13. The method of claim 11, wherein said service is an encryption/decryption 

2 service, and wherein said information comprises a set of one or more default encryption 

3 limitations, and a set of zero or more exempt encryption limitations which apply when 

4 one or more exemption mechanisms are implemented. 

1 14. The method of claim 13, wherein said default encryption limitations and 

2 said exempt encryption limitations are derived by merging multiple jurisdiction policies 

3 and extracting therefrom the most restrictive encryption limitations. 

1 15. The method of claim 13, wherein reconciling said limitations and said 

2 permissions comprises: 

3 determining whether the application has been granted any permissions; and 

4 in response to a determination that the application has not been granted any 

5 permissions, deriving said restrictions from said set of defauh encryption limitations. 
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1 16. The method of claim 13, wherein reconciUng said Umitations and said 

2 permissions comprises: 

3 determining whether the appKcation has been granted any permissions which 

4 require implementation of a particular exemption mechanism; 

5 in response to a determination that the application has been granted a permission 

6 which requires implementation of a particular exemption mechanism, determining 

7 whether said exempt encryption limitations allow said particular exemption mechanism 

8 to be implemented; and 

9 in response to a determination that said exempt encryption limitations allow said 

10 particular exemption mechanism to be implemented, deriving said restrictions from said 

1 1 set of exempt encryption limitations. 

1 17. The method of claim 1, wherein the system further comprises a general 

2 implementation for said service, and wherein dynamically constructing said customized 

3 implementation comprises: 

4 instantiating the general implementation to give rise to a general implementation 

5 instance; 

6 instantiating a wrapper object; and 

7 encapsulating said general implementation instance and said restrictions within 

8 said wrapper object to derive said customized implementation. 

1 18. The method of claim 17, wherein said wrapper object comprises one or 

2 more invocable methods, wherein said general implementation instance comprises one or 

3 more invocable methods, and wherein encapsulating comprises: 
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1 mapping one or more of the invocable methods of said wrapper object to one or 

2 more of the invocable methods of said general implementation instance. 

1 19. The method of claim 18, wherein said wrapper object comprises 

2 initialization logic for enforcing said restrictions on said general implementation instance. 

1 20. The method of claim 19, wherein said initialization logic is invoked prior 

2 to allowing any of the invocable methods of said general implementation instance to be 

3 invoked. 

1 21. The method of claim 1 7, further comprising: 

2 instantiating an exemption mechanism to give rise to an exemption mechanism 

3 instance; and 

4 encapsulating said exemption mechanism instance within said wrapper object. 

1 22. In a system comprising at least one application, a framework comprising: 

2 a mechanism for receiving a request from the application for a customized 

3 implementation of a service; 

4 a mechanism for determining a set of zero or more restrictions to be imposed 

5 upon said customized implementation; 

6 a mechanism for dynamically constructing said customized implementation, said 

7 customized implementation incorporating said restrictions, and comprising enforcement 

8 logic for enforcing said restrictions; and 

9 a mechanism for providing said customized implementation to the application; 

10 wherein said customized implementation is invocable by the application without 

11 further interaction with the framework. 



P4552NP 19 



Attorney Docket No. 15437-0112 



1 24. The framework of claim 22, wherein the system further comprises a 

2 general implementation for said service, wherein said general implementation is 

3 unrestricted, and wherein the mechanism for dynamically constructing said customized 

4 implementation further incorporates said general implementation within said customized 

5 implementation. 

1 25. The framework of claim 24, wherein said enforcement logic enforces said 

2 restrictions on said general implementation. 

1 26. The framework of claim 22, wherein said enforcement logic is invoked 

2 upon initialization of said customized implementation. 

1 27. The framework of claim 26, wherein said enforcement logic, when 

2 invoked: 

3 receives a set of desired parameters from the application; 

4 determines whether the desired parameters exceed said restrictions; and 

5 in response to a determination that the desired parameters exceed said restrictions, 

6 preventing said customized implementation from operating. 

1 28. The framework of claim 26, wherein said service is an 

2 encryption/decryption service, and wherein said enforcement logic, when invoked: 

3 determines whether a particular exemption mechanism has been invoked; and 

4 in response to a determination that the particular exemption mechanism has not 

5 been invoked, preventing said customized implementation from operating. 
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1 29. The framework of claim 22, wherein the mechanism for determining the 

2 set of zero or more restrictions comprises: 

3 a mechanism for accessing information specifying one or more Hmitations; and 

4 a mechanism for processing said limitations to derive said restrictions. 

1 30. The framework of claim 29, wherein said service is an 

2 encryption/decryption service, and wherein said information comprises a set of one or 

3 more default encryption limitations. 

1 31 . The framework of claim 30, wherein said default encryption limitations 

2 are derived by merging multiple jurisdiction poUcies and extracting therefrom the most 

3 restrictive encryption limitations. 

1 32. The framework of claim 22, wherein the mechanism for determining the 

2 set of zero or more restrictions comprises: 

3 a mechanism for accessing information specifying one or more limitations; 

4 a mechanism for determining permissions, if any, granted to the application; and 

5 a mechanism for reconciling said limitations and said permissions to derive said 

6 restrictions. 

1 33. The fi-amework of claim 32, wherein said limitations and said permissions 

2 are reconciled to derive restrictions which are least restrictive. 

1 34. The framework of claim 32, wherein said service is an 

2 encryption/decryption service, and wherein said information comprises a set of one or 
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1 more default encryption limitations, and a set of zero or more exempt encryption 

2 limitations which apply when one or more exemption mechanisms are implemented. 

1 35. The framework of claim 34, wherein said default encryption limitations 

2 and said exempt encryption limitations are derived by merging multiple jurisdiction 

3 policies and extracting therefrom the most restrictive encryption limitations. 

1 36. The framework of claim 34, wherein the mechanism for reconciling said 

2 limitations and said permissions comprises: 

3 a mechanism for determining whether the application has been granted any 

4 permissions; and 

5 a mechanism for deriving, in response to a determination that the application has 

6 not been granted any permissions, said restrictions fi'om said set of default encryption 

7 limitations. 

1 37. The framework of claim 34, wherein the mechanism for reconciling said 

2 limitations and said permissions comprises: 

3 a mechanism for determining whether the application has been granted any 

4 permissions which require implementation of a particular exemption mechanism; 

5 a mechanism for determining, in response to a determination that the application 

6 has been granted a permission which requires implementation of a particular exemption 

7 mechanism, whether said exempt encryption limitations allow said particular exemption 

8 mechanism to be implemented; and 
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9 a mechanism for deriving, in response to a determination that said exempt 

10 encryption limitations allow said particular exemption mechanism to be implemented, 

1 1 said restrictions from said set of exempt encryption limitations. 

1 38. The framework of claim 22, wherein the system further comprises a 

2 general implementation for said service, and wherein the mechanism for dynamically 

3 constructing said customized implementation comprises: 

4 a mechanism for instantiating the general implementation to give rise to a general 

5 implementation instance; 

6 a mechanism for instantiating a wrapper object; and 

7 a mechanism for encapsulating said general implementation instance and said 

8 restrictions within said wrapper object to derive said customized implementation. 

1 39. The framework of claim 38, wherein said wrapper object comprises one or 

2 more invocable methods, wherein said general implementation instance comprises one or 

3 more invocable methods, and wherein the mechanism for encapsulating comprises: 

4 a mechanism for mapping one or more of the invocable methods of said wrapper 

5 object to one or more of the invocable methods of said general implementation instance. 

1 40. The framework of claim 39, wherein said wrapper object comprises 

2 initialization logic for enforcing said restrictions on said general implementation instance. 

1 41. The framework of claim 40, wherein said initialization logic is invoked 

2 prior to allowing any of the invocable methods of said general implementation instance to 

3 be invoked. 
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1 42. The framework of claim 38, further comprising: 

2 a mechanism for instantiating an exemption mechanism to give rise to an 

3 exemption mechanism instance; and 

4 a mechanism for encapsulating said exemption mechanism instance within said 

5 wrapper object. 

1 43. In a system comprising at least one application, a computer readable 

2 medium having stored thereon instructions which, when executed by one or more 

3 processors, cause the one or more processors to implement a fi-amework which 

4 dynamically constructs a customized implementation of a service, said computer readable 

5 medium comprising: 

6 instructions for causing one or more processors to receive a request from the 

7 application for a customized implementation of a service; 

8 instructions for causing one or more processors to determine a set of zero or more 

9 restrictions to be imposed upon said customized implementation; 

10 instructions for causing one or more processors to dynamically construct said 

1 1 customized implementation, said customized implementation incorporating said 

12 restrictions, and comprising enforcement logic for enforcing said restrictions; and 

13 instructions for causing one or more processors to provide said customized 

14 implementation to the apphcation; 

15 wherein said customized implementation is invocable by the application without 

1 6 further interaction with the framework. 
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1 45. The computer readable medium of claim 43, wherein the system further 

2 comprises a general implementation for said service, wherein said general 

3 implementation is unrestricted, and wherein said customized implementation further 

4 incorporates said general implementation. 

1 46. The computer readable medium of claim 45, wherein said enforcement 

2 logic enforces said restrictions on said general implementation. 

1 47. The computer readable medium of claim 43, wherein said enforcement 

2 logic is invoked upon initialization of said customized implementation. 

1 48. The computer readable medium of claim 47, wherein said enforcement 

2 logic, when invoked: 

3 receives a set of desired parameters from the application; 

4 determines whether the desired parameters exceed said restrictions; and 

5 in response to a determination that the desired parameters exceed said restrictions, 

6 preventing said customized implementation from operating. 

1 49. The computer readable medium of claim 47, wherein said service is an 

2 encryption/decryption service, and wherein said enforcement logic, when invoked: 

3 determines whether a particular exemption mechanism has been invoked; and 

4 in response to a determination that the particular exemption mechanism has not 

5 been invoked, preventing said customized implementation from operating. 
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1 50. The computer readable medium of claim 43, wherein the instructions for 

2 causing one or more processors to determine the set of zero or more restrictions 

3 comprises: 

4 instructions for causing one or more processors to access information specifying 

5 one or more limitations; and 

6 instructions for causing one or more processors to process said limitations to 

7 derive said restrictions. 

1 51. The computer readable medium of claim 50, wherein said service is an 

2 encryption/decryption service, and wherein said information comprises a set of one or 

3 more default encryption limitations. 

1 52. The computer readable medium of claim 5 1 , wherein said default 

2 encryption limitations are derived by merging multiple jurisdiction policies and 

3 extracting therefrom the most restrictive encryption limitations. 

1 53. The computer readable medium of claim 43, wherein the instructions for 

2 causing one or more processors to determine the set of zero or more restrictions 

3 comprises: 

4 instructions for causing one or more processors to access information specifying 

5 one or more limitations; 

6 instructions for causing one or more processors to determine permissions, if any, 

7 granted to the application; and 

8 instructions for causing one or more processors to reconcile said limitations and 

9 said permissions to derive said restrictions. 
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1 54. The computer readable medium of claim 53, wherein said limitations and 

2 said permissions are reconciled to derive restrictions which are least restrictive. 

1 55. The computer readable medium of claim 53, wherein said service is an 

2 encryption/decryption service, and wherein said information comprises a set of one or 

3 more default encryption limitations, and a set of zero or more exempt encryption 

4 limitations which apply when one or more exemption mechanisms are implemented. 

1 56. The computer readable medium of claim 55, wherein said default 

2 encryption limitations and said exempt encryption limitations are derived by merging 

3 multiple jurisdiction policies and extracting therefrom the most restrictive encryption 

4 limitations. 

1 57. The computer readable medium of claim 55, wherein the instructions for 

2 causing one or more processors to reconcile said limitations and said permissions 

3 comprises: 

4 instructions for causing one or more processors to determine whether the 

5 application has been granted any permissions; and 

6 instructions for causing one or more processors to derive, in response to a 

7 determination that the application has not been granted any permissions, said restrictions 

8 from said set of default encryption limitations. 

1 58. The computer readable medium of claim 55, wherein the instructions for 

2 causing one or more processors to reconcile said limitations and said permissions 

3 comprises: 
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4 instructions for causing one or more processors to determine whether the 

5 appUcation has been granted any permissions which require implementation of a 

6 particular exemption mechanism; 

7 instructions for causing one or more processors to determine, in response to a 

8 determination that the appHcation has been granted a permission which requires 

9 implementation of a particular exemption mechanism, whether said exempt encryption 

10 limitations allow said particular exemption mechanism to be implemented; and 

1 1 instructions for causing one or more processors to derive, in response to a 

12 determination that said exempt encryption limitations allow said particular exemption 

13 mechanism to be implemented, said restrictions from said set of exempt encryption 

14 limitations. 

1 59. The computer readable medium of claim 43, wherein the system further 

2 comprises a general implementation for said service, and wherein the instructions for 

3 causing one or more processors to dynamically construct said customized implementation 

4 comprises: 

5 instructions for causing one or more processors to instantiate the general 

6 implementation to give rise to a general implementation instance; 

7 instructions for causing one or more processors to instantiate a wrapper object; 

8 and 

9 instructions for causing one or more processors to encapsulate said general 

10 implementation instance and said restrictions within said wrapper object to derive said 

1 1 customized implementation. 
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1 60. The computer readable medium of claim 59, wherein said wrapper object 

2 comprises one or more invocable methods, wherein said general implementation instance 

3 comprises one or more invocable methods, and wherein the instructions for causing one 

4 or more processors to encapsulate comprises: 

5 instructions for causing one or more processors to map one or more of the 

6 invocable methods of said wrapper object to one or more of the invocable methods of 

7 said general implementation instance. 

1 61 . The computer readable medium of claim 60, wherein said wrapper object 

2 comprises initialization logic for enforcing said restrictions on said general 

3 implementation instance. 

1 62. The computer readable medium of claim 61 , wherein said initialization 

2 logic is invoked prior to allowing any of the invocable methods of said general 

3 implementation instance to be invoked. 

1 63. The computer readable medium of claim 59, further comprising: 

2 instructions for causing one or more processors to instantiate an exemption 

3 mechanism to give rise to an exemption mechanism instance; and 

4 instructions for causing one or more processors to encapsulate said exemption 

5 mechanism instance within said wrapper object. 

1 64. The method of claim 1, wherein said framework comprises Java 

2 Cryptography Extension to Java Platform. 
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65. The framework of claim 22, wherein said framework comprises Java 
Cryptography Extension to Java Platform. 

1 66. The computer readable medium of claim 43, wherein said framework 

2 comprises Java Cryptography Extension to Java Platform. 
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